Noonan, president and CEO of Internet Security Systems, says he never imagined the day would come when he'd sell the companyor, as he says, "walk my baby daughter down the aisle." But that's what Noonan is doing, with a pending $1.3 bill

Reach and Resources

Q: So what's the benefit of this deal, if you're going to keep operating independently?

A: Well, the benefit of this deal really comes down to two simple things: reach and resources. IBM looked at my 2008, 2009, 2010 product road maps and said, "Move that into 2007." I've got 300 engineers that I can't afford to hire as a public company because every 90 days I've gotta put profits out there. They said, "Bring it all in, hire the engineers, get the research going." They've got a huge amount of research and no way to commercialize it. So that to me was the most compelling thing. Lots of companies have big sales forces. Very few companies have the brand that IBM has in the enterprise. They're pretty unique out there. But the fact is that they were going to get us to our vision a hell of a lot quicker and with research and resources we couldn't touch ourselves.

Security is a big business. If you look at it from a business perspective, it has to be one of the most anomalous markets in I.T. By that I mean, security is a maturing market where the top 10 companies in I.T. security control less than 40% of the market. I think we're No. 5 in terms of revenue if you bake us out against Symantec, etc. Look at the ERP [enterprise resource planning] market, you've got two or three vendors. The PC market, for all practical purposes, is three vendors. You look at security, it's a maturing market but it's a fragmented as can be.

Q: Why is that?

A: Because no big company, in my mind, has made a concerted effort to go after the market in a way that they have the staying power and the resources to win it.

Q: What about Cisco?

A: Cisco's all about the network. They're not worrying about the other 70% of the other security people have to have. They're trying to differentiate IOS [Internetworking Operating System, the code that runs its networking equipment] as the secure piece of the infrastructure.

I think we're entering an era where executives are saying, "Someone show me how my security system is performing across the whole messacross the desktops, the servers, the applications, the network." And security wasn't built like that. Security was built as a stovepipe. We got on the Internet and we added firewalls. When we had viruses, we built antivirus. When we had spam, we built antispam. All of this stuff exists like this. What we did starting in 2001, our customers were struggling with that problem, we said, let's build an open platform that takes advantage of all this disparate stuff but is not a management console that is just feeding a bunch of events in.

Increasingly our customers are taking advantage of the architecture we've built [for Proventia, ISS's core intrusion prevention system]same architecture from desktop to network to server. Our long-term goal was very aligned with IBM because we want to do for security what Google did for searchwe want to make security an on-demand service. Next year when we're fighting lions and tigers and bears instead of viruses and Trojans and worms, turn on the service. You don't have to bolt on and implement a whole new set of stovepipes to deal with the latest threat.

Q: But that's not how people have bought security in the past.

A: No. It absolutely is not how people bought security.

Q: And a lot of people aren't comfortable buying security as a service, right?

A: No, they aren't. Probably the most mature market in enterprise security is one of two things: desktop antivirus or gateway firewalls. The argument about whether a Cisco firewall is better than a Check Point firewall isn't an argument now. As best of breed matures, the ability to innovate on "how good is the security" is becoming less and less. There's a reason Symantec and McAfee make the vast majority of their money in the consumer space. Consumers will still pay $19.95 per month for antivirus. GE is paying 10 cents per desktop. That's because it's undifferentiated.

We want to change the security game, and the best possible way for us to do that is with some muscle behind us. Security won't be like it is five years from now, or 10 years from now. Because innovation is going to make it more automated, it's going to make it more transparent, and it's going to make it more flexible and extensible. Go ask a CIO today if they like what they're spending on all these pieces of securitythey hate it. Go ask them if they can give a single report to their management that says, Here's how we're performing versus last month, versus our industry, or versus my biggest competitor. So, Proventia is all about security acting like an enterprise control system.